2012年10月11日星期四

What Router-switch.com Prepared for Its 10th Anniversary?



During the past ten years, from 2002 to 2012, router-switch.com has grown up into a global leading Cisco supplier. Indeed, it has experienced several vital moment. Here let’s share some router-switch.com’s big events:
2002, Router-switch.com was founded.
2003, Router-switch.com has experienced a rapid development.
2004, CCIE technical support team was built.
2005, The sales volume maintains 70% growth per year.
2006, Staff in company increased to 20.
2007, Router-switch.com established its marketing department. It attained its reputation in providing timely information of Cisco for clients and Cisco users.
2008, Router-switch.com adopted necessary advanced management tools to improve its service for clients.
2009, Router-switch.com upgraded warehouses in Hongkong and Mainland China. Its inventory is worth over $5 million.
2010, The sales of Router-switch.com have zoomed to $ 30 million.
2011, Router-switch.com released the new version to update service. It supplies free CCIE support. Social network platforms were opened to communicate with customers and clients well.
2012, New Office of router-switch.com landed in US to offer professional local service.

Nowadays, router-switch.com is becoming the world’s largest Cisco reseller online.  It believes that router-switch.com will bemore professional, more reliable and stronger with your support.
Note:A letter from CEO of router-switch.com to thank its customers and sharetheir progress.

More about Router-switch.com:
Router-switch.com, also called YejianTechnologies Co., Ltd, is the worldwide leader in delivering new, used, refurbished Cisco hardware, including Cisco routers, Cisco switches, firewall security, Cisco IP Phones VoIP, wireless AP, Cisco modules & cards, memory, and optical cables, SFP, GBIC, XENPK , etc. It carries over $5 million in inventory of Cisco hardware and Cisco equipment that can meet SOHO, small, midsized and large businesses of all sizes. Also Router-Switch.com owns more than 8,000 customers worldwide, not only because of its original Cisco products with reliable quality and competitive price, but also due to professionalservice, huge inventory, flexible payment and shipment. More information about router-switch.com can be found at http://www.router-switch.com/. For ongoing Cisco info, please go to
Blog.router-switch.com---News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware Industry

More Related Router-switch.com News:
Router-switch.com Announced Its Newly Redesigned Website
“Router Switch”, Our New Company Landing in U.S.—Professional Cisco Supply Service is Around You
Router-switch.com: A Batch of New Cisco Network Equipment Surprises the Coming Christmas Day
Router-Switch.com Uploaded Thousands of New Cisco Products
http://blog.router-switch.com/2011/11/router-switch-com-uploaded-thousands-of-new-cisco-products/

2012年3月9日星期五

Cisco Switch Port Security---How to Configure Switch Security?

Conventional network security often focuses more on routers and blocking traffic from the outside.cisco switch are internal to the organization and designed to allow ease of connectivity, therefore only limited or no security measures are applied.

The following basic security features can be used to secure your switches and network:
* Physically secure the device
* Use secure passwords
* Enable SSH access
* Enable port security
* Disable http access
* Disable unused ports
* Disable Telnet

Let’s look at how to implement and configure some of the above mentioned switch security features.


1. How to Configure the privileged EXEC password.
Use the enable secret command to set the password. For this activity, set the password to orbit.
SW1#configure terminal
SW1(config)#enable secret orbit
SW1(config)#

2. How to Configure virtual terminal (Telnet) and console passwords and require users to login.
A password should be required to access the console line.  Even the basic user EXEC mode can provide significant information to a malicious user. In addition, the VTY lines must have a password before users can access the switch remotely.
Use the following commands to secure the console and telnet:
SW1(config)#line console 0
SW1(config-line)#password cisco 3750
SW1(config-line)#login
SW1(config-line)#line vty 0 15
SW1(config-line)#password cisco
SW1(config-line)#login
SW1(config-line)#exit
SW1(config)#

3.How to Configure password encryption.
At this stage, the privileged EXEC password is already encrypted. To encrypt the line passwords that you just configured, enter the service password-encryption command in global configuration mode.
SW1(config)#service password-encryption
SW1(config)#

4. How to Configure and test the MOTD banner.
Configure the message-of-the-day (MOTD) using Authorized Access Only as the text. Follow these guidelines:
i. The banner text is case sensitive. Make sure you do not add any spaces before or after the banner text.

ii. Use a delimiting character before and after the banner text to indicate where the text begins and ends. The delimiting character used in the example below is %, but you can use any character that is not used in the banner text.

iii. After you have configured the MOTD, log out of the switch to verify that the banner displays when you log back in.

SW1(config)#banner motd %Authorized Access Only%
SW1(config)#end
SW1#exit

5. How to Configure Port Security
Enter interface configuration mode for FastEthernet 0/11 and enable port security.
Before any other port security commands can be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport port-security
* Notice that you do not have to exit back to global configuration mode before entering interface configuration mode for fa0/11.

6. How to configure the maximum number of MAC addresses.
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1

7. How to configure the port to add the MAC address to the running configuration.
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address sticky

8. How to Configure the port to automatically shut down if port security is violated.
If you do not configure the following command, catalyst 3750 SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown
Use the show-mac-address- table command to confirm that SW1 has learned the MAC address for the intended devices, in this case PC1.
SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11

You can use the show port-security interface fa0/11 command to also verify a security violation with the command.
SW1#show port-security interface fa0/11

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1

9. How to Secure Unused Ports
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. 3750 series switch Disabling an unused port stops traffic from flowing through the port(s)
Step 1: Disable interface Fa0/10 on SW1.
Enter interface configuration mode for FastEthernet 0/17 and shut down the port.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown

Step 2: Disable interfaces Fa0/1 to Fa0/24 on SW1
SW1(config)#interface range fa0/1-24
SW1(config-if)#shutdown

2012年1月16日星期一

Cisco Switches: Basic A & Q to Know Details of Cisco Catalyst Switches


Most business networks today use switches to connect computers, printers and servers within a building or campus. A network catalyst switch serves as a controller, enabling networked devices to talk to each other efficiently. Through information sharing and resource allocation, switches save businesses money and increase employee productivity.There are many basic questions got from Cisco switch users, which help you solve some problems while using network switches. Let’s check them…

Basic A & Q to Know Details of cisco catalyst switch
Q: I have a cisco 2950c-24 switch with two fiber ports but say 100base-fx. I tried connecting a fiber connection to a GBIC switch that has 10 GBIC ports but they will not talk to each other. I have in the same rack a 2948 switch with two fiber ports but these ports say 1000base-sx and this switch does talk with the 3550 GBIC switch. Is there any configuration I can do to make them talk? Thanks
A:The fiber ports on the 2950C are 100 Mbs only while the GBICs on the 3550 are 1000 Mbs and you can't go back in speed both ports are forced to their stated speed and no configuration can change that. So you need to get a 2950 - 24 with 2 GBIC ports so you can link them up. If in doubt get LX GBICs as they will talk over most types of fiber, SM 1310 or MM 850. Remember you can always shoot a SM light down a MM with some loss rather than MM down a SM fiber with total connection loss.
Source(s):http://www.cisco.com/en/US/products/hw/s…
MORE NOTES:There are many types of fiber connectors to include SX, LX, SC, ST, LC....etc.
Each GBIC can only use the connector that it is designed for.
You have described a 2950 with a 100base-fx port. This only means "fiber" as opposed to 100base-tx (Copper). You described the 2948 as having 2 1000base-sx ports (GB Capable SX connector).
There are two options:
1. Determine which type of connector is used on your 2950 and use a fiber patch with that type on the 2950 and SX on the 2948.
2. Connect the fiber patch from the 2950 to a patch panel (usally ST) and from there patch it to an SX patch cable the 2948 (or appropriate connector to the 3550 GBIC).

Q: Is it safe to reset a Cisco Catalyst switch by disconnecting/reconnecting power?I have a Cisco 3560G switch that has one port locked because I failed to use a crossover cable when I tried to add another switch downstream. Can I safely unplug the switch to force the switch to reset? This works for servers and linux boxes, but I do not know about Cisco switches.
A: Yes it is safe, Just ensure that you leave it off for 3 mins.

Q:How to connect two DHCP servers within cisco switch 3550 10 gigabit ports?I have two DHCP servers with different subnet connect to the same cisco switch 3550 with 10 gigabit ports. Port # 2 connect to DHCP server1, Port # 3 connect to DHCP server2 and Port # 3 connect to dhcp client zone. Is it impossible to work out? If yes, please tell me on how to do it!Thanks so much in advance! :-)
A: First off, if someone has sold you a 3550 telling you it is a 10G switch, you have been had.
Beyond that, we need to know a little more about what you are trying to do.
The simple option is something like
intfas 0/1
des DHCP server 1
switch mode acce
switch accevlan 10
no shut

intfas 0/2
des DHCP server 2
switch mode acce
switch accevlan 20
no shut

intfas 0/3
des user to get address from DHCP server 1
switch mode acce
switch accevlan 10
no shut

intfas 0/4
des user to get address from DHCP server 2
switch mode acce
switch accevlan 20
no shut

ip routing

intvlan 10
ipadd<default gateway of the scope of DHCP server 1>
no shut
intvlan 20
ipadd<default gateway of the scope of DHCP server 2>

These last two can be repeated as you wish to allocate users to DHCP servers.
This will allow the users on both VLANs too contact each other.

MORE TIPS: You may need to add
intvlan 10
ipadd<default gateway of the scope of DHCP server 1>
ip helper-address <IP of your DHCP>

if you do not have it on the router.
And a little bit explanation from Cisco doc:
ip helper-address

To enable the forwarding of User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address command in interface configuration mode. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.

ip helper-address [vrf name | global] address [redundancy vrg-name]
Source(s):
http://www.cisco.com/en/US/docs/ios/12_3t/ip_addr/command/reference/ip1_i1gt.html#wp1169356

Q: Does the cisco switch IOS 4506 provide same functionality as Cisco Switch 6509?At this point I have a Cisco 6509 switch as the main router of a network. I'm forced to change it with a 4506. I want to know if the functionality will be the same or would I have any problems?
A:To determine whether any of the differences will affect you, first determine what IOS/CatOS image you were running on the 6509 then do the same for the 4506 and go here:http://tools.cisco.com/ITDIT/CFN/Dispatc…, it is Cisco's feature comparison tool. You can enter all the parameters in and see what features are exclusively available to one platform or the other. If they are features you need, you know it will not work. If you do not need any of them, then you should be OK.

Q: How would a Cisco Switch stop Ping?Look for any statement I should be looking for in the running config of a Cisco 2950 or 3550 switch. Anything that would stop ICMP echo request packets.
A: Ping what? The SVI? Anything? These are strictly Layer 2 switches, you might be able to write an ACL to stop Ping to the SVI on THAT switch, but in general they will not support ACL's to be applied on interfaces because Layer 3 interfaces are not supported on those two models.If you wanted to stop it on an SVI, I think it would need to be an extended ACL, an example might be:
ip access-list extended Block_Ping
deny icmp any anyeq echo
permit ip any any

Q: Can you connect an Avaya phone to cisco switch?Can you connect an Avaya phone to cisco switch?
A: If they are IP phones they may be SIP compatible. If they are SIP compatible, you need to ensure your switch supports SIP and then it can be set up as a SIP Station.You need to work with your Cisco business partner. Either way it may be pricey.If you want to sell the phone that is always an option

Q: How can I configure a 24 port cisco switch with 3 Vlans?I forgot the commands and can't figure this out. I want to configure 3 vlans. F0/0 - 7 as vlan 1, ports 8-15 as vlan 2, and ports 16-24 as vlan 3. I seem to remember "switchport access" but can't remember the rest. Does anyone have detailed commands?
A:Log into the router, switch to enabled mode ('enable'), then configuration mode ('conf t').

To configure an interface, go to interface configation mode ('interface F0/0' or whatever). To set a port to be in a single VLAN, use:
switchport mode access - put the port in access (single VLAN) mode
switchport access vlan X - set the port's VLAN
Replace 'X' with the vlan number, of course.

You can configure more than one interface at a time. Your full sequence should be:
enable
conft
interface range F0/0 - 7
switchport mode access
switchportvlan 1
exit
interface range F0/8 - 15
switchport mode access
switchportvlan 2
exit
interface range F0/16 - 24
switchport mode access
switchportvlan 3
exit
exit

Q: Help needed to upgrade my cisco switch ios?I have connected my switch via console cable, I have set up a tftp server on my PC when I try to update the ios it keeps timing out.
A:First, your computer with the tftp server and the switch need to be connected via the network. When the switch pulls the image, it's not through the console cable, but rather an ethernet port.

Second, your new IOS image needs to be in the correct folder on your local hard drive so the tftp server can reach the file and serve it to clients that ask. This varies greatly by tftp server, so I can't give you clear directions for how to do this.

Third, your switch needs an IP address assigned to a vlan interface. Typically, vlan 1 is used, but more advanced users can use a different one. The configuration usually looks like:

configure terminal
interface vlan 1
ip address w.x.y.z 255.255.255.0
no shut
end

To do a little troubleshooting, try pinging your computer from the switch and then ping the switch from your computer. Due to firewalls, this may or may not work, but it's a good tool.

Lastly, once you are sure that connectivity is in place, you issue the command "copy tftp flash" from the switch. The switch will ask you the IP address of the tftp server, then the filename, and then it will probably ask you if you want to erase the flash. You should usually press "enter" to confirm "yes" to erase the flash, otherwise you'll run out of room in the memory. If you do not receive the question to erase the flash, that means there is a connectivity issue.

Hope this helps.
Source(s):
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801347e2.shtml

Q: Is it possible todo load balancing on a cisco 3560 switch?Additional Details: I have a building with three floors. Each floor has a 3560 switch that connects to a 4500 switch in the basement. There is also a second link from the 3560s to the 4500 switch in case one link goes down. So I was wondering if I can use both links and then if one link fails, then all the traffic can be routed using the other link.
A: Yes it is possible, but is highly dependent on your particular configuration. Are you running a L2 or L3 image on the switch? If you are trying to do Layer 2 load balancing, you will require multiple VLAN's - or EtherChannel a couple of links together and make sure your src/dst are changing enough to get some load sharing. Layer 3 you will need multiple egress points of course. Hope this helps - will need more specifics to get less generalized in an answer.
<Update> OK, this is an EtherChannel scenario. Take the two ports and bond them together as an EtherChannel (I am not sure still if you are running L2 or L3 3560's - I will assume L2 as they are more common). You should check CCO (www.cisco.com) for exact configuration for your version of software, but essentially you will turn on channeling between the devices, it will leave both links up, load share them and make them redundant.
Source(s):http://www.cisco.com/en/US/tech/tk389/tk…

Q: What does your PC need in order to console into a Cisco switch?
a. COM port
b. Parallel port
c. Firewire port
d. PS/2 port
A: High end cisco switches usually come with a console cable (blue serial to RJ-45). This goes on the management port of your switch and the other end goes into the serial port of your pc.Then you can use the "Hyperterminal" to make a connection to the switch and configure it from there.Other, lower end, switches somethimes have a function that needs you to press a button on the front of the switch for a few seconds, and one of the ports (random) starts to blink. Then you can connect your pc to this port with a normal ethernet cable. your pc will get an IP address from the switch and you can connect to the switch using the gateway address assigned to the pc. This will be the switches web site.

Q: How do I setup a VLAN on a Cisco switch?
A: By default a Cisco switch is already using a vlan (that is, vlan 1). As mentioned, some Cisco switches (particularly older Catalyst switches which tended to be rehashed models from companies Cisco had recently bought) run CatOS. Newer/better switches run Cisco IOS.
As for how to "set one up", it's kind of hard to answer without knowing what specifically you're trying to do. The answer posted above me will create an SVI for a VLAN, which may or may not be what you want depending on your goal (note that the example doesn't assign the VLAN to a physical switchport, or configure a switchport to be an access port for that VLAN).
So to answer a question with a question, what specifically are you trying to accomplish? Just basic L2 LAN segmentation? Do you want/need to be able to route between these VLANs? Are your switch(s) running IOS or CatOS? What is your network topology?

Q: Configuring an ip on a configured Vlan, cisco switch?I need to configure an ip address which is the gateway for which I need that specific port to go to. How do I configure that gateway on that specific vlan?
A: Cisco switches can confuse you with Vlans. If you've defined a Vlan and assign ports to that Vlan (in Catalyst OS or IOS), no gateway is required. But if you are configuring a Vlan interface with an assigned IP address (such as for managing the switch remotely), then you need to define a gateway.

In the excerpt below, let's say we have
--a layer 2 switch running IOS (such as a Catalyst 2950), which we will admin at 192.168.1.250
--a port connected to a home router that is our default gateway and another port connected to a printer at 192.168.1.100
--the IP address of the home router is 192.168.1.1

!
vlan 2
name Admin
!
interfaceFastEthernet 0/1
description home router LAN connection
switchport mode access
switchport access vlan 2
!
interfaceFastEthernet 0/2
description printer - note the IP address doesn't matter
switchport mode access
switchport access vlan 2
!
interfaceVlan 2
description Remote Admin IP of Cisco switch
ip address 192.168.1.250 255.255.255.0
!
ip default-gateway 192.168.1.1

As a layer 2 switch, it can support multiple Vlans. cisco switch configuration But it does not route between Vlans. You could also define a Vlan 10 with another administrative IP address. But you if you were connected to your home router (connected on Vlan 2) you could not reach any ports on Vlan 10, including an administrative IP you created in 'interface Vlan 10'.

Q: How do I select a Cisco switch?
A:Before you can select a switch you first need to figure out all the requirements, like the amount of ports, the speed of the ports etc. Keep also in mind the IOS version that can be necessary for certain funtionalities. For example QoS only works on C2950 with enterprise IOS.When that is done, you can select the switch based on these requirements.
Q: What is the command to disable trunk negotiation on a cisco switch?
A:If you want a port to always be a trunk or always be an access port, then the commands would be "switchport mode trunk" and "switchport mode access" respectively. Now, if you want to disable DTP (dynamic trunking protocol), to prevent the switch from helping the other side to negotiate if it is a dynamic port, then the command would be "switchportnonegotiate".

Q: How I can install IOS into cisco switch 3560 series?In my cisco switch 3560 series hasn't IOS system and I cann't into priveleged EXEC mode. "enable" function cann't run!
A: The first thing you need to do is recover the password so you can "enable" privileged mode - you need to "break" as the switch is about to load, as per this info here:
http://www.cisco.com/en/US/products/hw/r…
1/ Put the new IOS onto a tftp server (if you don't have one, google for "tftp server free download").
2/ Get the switch onto the same network as your tftp server.
3/ decide if you have enough room in either flash or RAM (depending on your switch) and
copy tftp flash
Source(s):http://www.cisco.com/warp/public/474/ind…
http://www.cisco.com/en/US/products/sw/i…

More Notes About Network Switches
What is a Network Switch: Unmanaged Switches?
An unmanaged switch works right out of the box. It's not designed to be configured, so you don't have to worry about installing or setting it up correctly. Unmanaged switches have less network capacity than managed switches. You'll usually find unmanaged switches in home networking equipment.

What is a Network Switch: Managed Switches?
A managed network switch is configurable, offering greater flexibility and capacity than an unmanaged switch. You can monitor and adjust a managed switch locally or remotely, to give you greater network control.

What is a Network Switch versus a Router?
Switches create a network. Routers connect networks. A router links computers to the Internet, so users can share the connection. A router acts as a dispatcher, choosing the best path for information to travel so it's received quickly.

What is a Network Switch to My Business?
Switches and routers are the building blocks for all business communications, from data to voice and video to wireless access. They can improve profitability by enabling your company to increase productivity, trim business expenses, and improve security and customer service.